Why Can I Not Access PDM from My Browser?

When you attempt to access PDM, the message "the page cannot be displayed" appears in Internet Explorer or the "network connection was refused by the server" appears in Netscape Communicator. These messages occur because the computer running the browser cannot access the PIX Firewall.

There are two requirements for a computer to communicate with the PIX Firewall. First, it must have an IP address. Second, the computer must have its default gateway IP address pointing to the IP address of the PIX Firewall unit's inside interface. (If the host you are adding is on the other side of a router, the host's default gateway address has to point to the router, and the router's default address has to point to the PIX Firewall unit.)

To set the default gateway IP address, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.0. After changing the default gateway or the IP address, be sure to reboot your computer.

If you have already assigned an IP address and default gateway to your computer, and you rebooted your computer, but you still cannot access the PIX Firewall, follow these steps:

Step 1 Check that your network cabling is correctly connected. Most computers have status lights on the Ethernet device, which you can use to verify that your interface has connectivity with the network. If you are connecting a workstation directly to the PIX Firewall unit's Ethernet interface, either use a cross-over cable or add a hub or switch between your computer and the PIX Firewall.

Step 2 If status lights are working or no status lights are present, access a DOS command prompt in Windows, or use the UNIX or Linux command line to ping the PIX Firewall unit's interface IP address. For example, if the inside interface's IP address is 10.1.1.1, use the following command to ping the PIX Firewall:

ping 10.1.1.1

If the ping is unsuccessful or the response times out, there is a power or network connectivity problem with a hub or switch between the computer and the PIX Firewall unit.

Note Depending on your operating system, you might want to use the traceroute or tracert commands to troubleshoot the route between your computer and the PIX Firewall unit.

Step 3 If you do not detect a network connectivity problem in Step 1 or Step 2, attempt to connect to PDM from a browser by entering the following command:

https://PIX_Inside_Interface_IP_Address

Note Do not forget to add the "s" to "https" or the installation will fail. The acronym "HTTPS" stands for "Secure Hypertext Transfer Protocol."

Step 4 If you are still unable to access PDM from your browser, access your PIX Firewall unit from the console port and verify that the following conditions exist:

a. You are running PIX Firewall version 6.0 or above. To determine your software version, enter the show version command and check the first line of the output.

b. You have PDM installed. To determine if PDM is installed on your PIX Firewall unit, enter the show version command and check the second line of the output.

c. You have http server enabled. To determine if you have http server enabled, enter the show http command and check the first line of the output.

Why Does PDM Start Up Slowly?

The startup speed of PDM depends on the amount of available RAM in your computer and whether virus scanning software is running on your computer. You can increase your RAM by closing other applications. The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 1.5 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.

How Do I Print My Configuration?

In PDM, use the File>Show Configuration in New Window menu to view the configuration in a separate window. From the separate browser window, you can then click File>Print command to print the configuration.

Why Does the Certificate Display a Message Stating It Is In the Future Each Time I Connect to a Server?

If you accidentally set the PIX Firewall unit's clock to the local time instead of UTC (Universal Coordinated Time, formerly known as Greenwich Mean Time or GMT), the certificate will display a message stating it is in the future each time users connect to a server. To fix the clock setting, go to the PIX Firewall console and use the show clock command to view the time setting on the PIX Firewall. If it is not set to UTC time, use the clock command to input the correct time setting. In addition, you can use the show ca cert command to check the time stamp on the certificate.

Why Do the Monitoring Tab Graphs Have the Wrong Time Information?

PDM assumes that the PIX Firewall clock is set to UTC. PDM then adds or subtracts the difference between your time zone and UTC and uses that time in the graphs. If the PIX Firewall clock is not set to UTC, the graphs will display the wrong t ime. To fix the clock setting, go to the PIX Firewall console and use the show clock command to view the time setting on the PIX Firewall. If it is not set to UTC time, use the clock command to input the correct time setting.

How Do I Know the Size of My PIX Firewall Configuration?

You can view the size of your configuration from the PIX Firewall console. Either connect a computer to the PIX Firewall unit or use Telnet to access the console. After entering the enable mode password, use the show flashfs command to view the configuration size, as shown in the following example:

show flashfs

flash file system: version:2 magic:0x12345679

file 0: origin: 0 length:2502712

file 1: origin: 2621440 length:2324

file 2: origin: 0 length:0

file 3: origin: 2752512 length:2608708

file 4: origin: 8257536 length:280

The "file 1" line lists the number of characters in your configuration after the "length" parameter. In this example, the configuration consists of 2,324 characters. Divide this number by 1,024 to view the number of kilobytes. The configuration in this example is slightly more than 2 KB.

The optimal configuration file size to use with PDM is less than 100 KB, which is approximately 1500 lines. PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation.

What If More Than Five People Need Access to a Single PIX Firewall Unit from PDM?

The maximum number of simultaneous sessions is five in the current version. If more than five people need to use PDM, one or more can use the PIX Firewall console via Telnet. If you know that a PDM administrator's session is idle and wish to disconnect it, access the PDM Users panel on the Monitoring tab. If you know the IP address of the idle connection, select the row, and click Disconnect. Another administrator can now access PDM.

Where Can I Find Information on PDM Caveats?

For information on PDM caveats, refer to the "Caveats" section of the Release Notes for the Cisco Secure PIX Firewall Version 6.0(1) document at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/pixrn601.htm

Why Does the Browser Ask for My Password Again?

If you change the password on the PIX Firewall unit, the browser might ask you to re-enter the password for authentication.

Why Does the Browser Ask Me to Accept the Security Certificate Again?

If you change the hostname or domain of the PIX Firewall unit, the browser asks you to accept the new security certificate.